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DETAILED ACTION 

This action is responsive to the response to the request for continued examination filed 
August 14, 2007. Claims 1-28, 34-42, 44-53 are pending. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

1. Claims 1-16, 19-28, 34-40 and 44-50 are rejected under 35 U.S.C. 103(a) as being 
anticipated by Win et al. US Patent No. 6,182,142 in view of Theimer et al US Patent No. 
5,649,099. Win teaches the invention as claimed including access and registry servers to provide 
secure access to clients (see abstract). 

As per claims 1, 34, 39 and 50 Win et al. teaches a method, system, means and computer 
tangible medium for accessing resources on a private network via an intermediary server said 
method comprising: 

receiving a login request from a user for access to the intermediary server (user login to 
Access Server (106) column 6, lines 6-24, column 9, lines 45-67; a firewall (118) separates the 
Internet and the Access Server (106) Intranet is the private network; column 22, lines 50-64; 
Figures 1 and 8); 
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authenticating the user in response to the login request (Authentication Client Module 
authenticates user by verifying user login with Registry Server (108), column 6, lines 49-51); 

receiving a resource request from the authenticated user at the intermediary server, the 
resource request requesting a particular operation with respect to a resource from the private 
network (User selects resource to be accessed from protected server (112), column 6, lines 16- 
24, lines 65-67); 

obtaining access privileges for the authenticated user in response to the resource request 
(cookie sent to browser with access privileges; column 8, lines 56-67); 

determining whether the access privileges for the authenticated user permit the 
authenticated user to perform the particular operation at the private network (Access Server 
decrypts "roles cookie" to determine privileges Figure 3 (320), column 8, liens 56-67), and 

preventing performance of the particular operation at the private network if access 
privileges for the authenticated user do not permit the authenticated user to perform the particular 
operation at the private network (Access restricted (322)). 

Win does not explicitly teach that the authentication and prevention of performance of a 
particular operation are done by an intermediary server. Theimer teaches that an intermediary, 
which can be a server, is a process between a client and a server and teaches that the client is 
authenticated by an authentication server located between the client and the server. See figure 
1 A, column 7, lines 54-67; column 8, lines 1-67; column 9, lines 1-67. It would have been 
obvious to a person of ordinary skill in the art at the time of the invention to combine 
authentication of Win with the intermediaries of Theimer. A person of ordinary skill in the art 
would have been motivated to do this to delegate some of the duties of the server and client. 
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As per claims 19 and 44, Win et al. teaches a method for providing remote access to a 
private network via an intermediary server said method comprising: 

receiving a login request from a remote user for access to the intermediary server (user 
login to Access Server (106) column 6, lines 6-24, column 9, lines 45-67; a firewall (118) 
separates the Internet and the Access Server (106) Intranet is the private network; column 22, 
lines 50-64; Figures 1 and 8); 

determining whether the remote user is permitted access to the intermediary server based 
on the login request(Authentication Client Module authenticates user by verifying user login 
with Registry Server (108), column 6, lines 49-51); 

granting the remote user access to the intermediary server if the remote user is permitted 
access to the intermediary sever, the granted access carrying access privileges to a portion of the 
private network (Access Server decrypts "roles cookie" to determine privileges Figure 3 (320), 
column 8, liens 56-67); 

receiving a resource request from the remote user at the intermediary server if the user is 
granted access to the intermediary server, the resource request requesting a particular resource on 
the private network (User selects resource to be accessed from protected server (112), column 6, 
lines 16-24, lines 65-67); 

determining whether the resource request from the remote user is permitted by the access 
privileges (Access Server decrypts "roles cookie" to determine privileges Figure 3 (320), column 
8, liens 56-67) 
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supplying the particular resource to the remote user through the intermediary server if the 
resource request from the remote user is permitted by the access priveleges (Figure 3C); and 

denying the remote user from access to the particular resource if the resource request 
from the remote user is not permitted by the access privileges (Access restricted (322)). 

Win does not explicitly teach that the authentication and prevention of performance of a 
particular operation are done by an intermediary server. Theimer teaches that an intermediary, 
which can be a server, is a process between a client and a server and teaches that the client is 
authenticated by an authentication server located between the client and the server. See figure 
1 A, column 7, lines 54-67; column 8, lines 1-67; column 9, lines 1-67. It would have been 
obvious to a person of ordinary skill in the art at the time of the invention to combine 
authentication of Win with the intermediaries of Theimer. A person of ordinary skill in the art 
would have been motivated to do this to delegate some of the duties of the server and client. 

As per claims 2 and 35, Win et al. teaches a method as recited in claim 1 , wherein the 
particular operation is one of a file access operation or an email operation (resource request 
column 6, lines 65-67) 

As per claim 3 and 36, Win et al. teaches a method as recited in claim 1 wherein said 
authenticating determines whether the user is authenticated based on an external authentication 
server (Access server (106) and registry server (108) that exchange information to authenticate a 
user. Registry server (108) verifies user name and password). 
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As per claim 4, Win et al. teaches a method as recited in claim 3 wherein the external 
authentication server is within the private network (Registry server (108) coupled to Access 
server (106), Figure 5 A). 

As per claims 5, 37 and 52, Win et al teaches a method as recited in claims 1 and 51, 
wherein the intermediary server stores the access privileges for a plurality of users (Access 
server (106) stores Authentication client module, column 6, lines 48-51)). 

As per claim 6, Win et al. teaches a method as recited in claim 1 , wherein the 
intermediary server stores an authentication identifier for each of a plurality of users, the 
authentication identifier identifying an external authentication server to be used to perform said 
authenticating (b) (Access server (106) and registry server (108) that exchange information to 
authenticate a user. Registry server (108) verifies user name and password). 

As per claim 7, Win et al. teaches a method as recited in claim 6, wherein the external 
authentication server is within the private network (Registry server (108) coupled to Access 
server (106), Figure 5 A). 

As per claim 8, Win et al. teaches a method as recited in claim 7, wherein the 
authentication identifier comprises a network address for the external authentication server 
(column 12, lines 26-67). 
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As per claim 9, Win et al. teaches a method as recited in claim 1, wherein the resource 
request is from a client-side application running on a client machine (column 5, lines 9-15). 

As per claim 10, Win et al. teaches a method as recited in claim 9, wherein the client side 
application is one of a web browser, an email application or a file access application (column 5, 
lines 9-15). 

As per claim 11, Win et al. teaches a method as recited in claim 1, wherein the user is a 
remote user (column 5, lines 9-15). 

As per claims 12 and 38, Win et al. teaches a method as recited in claim 1, wherein the 
resource request is from a client-side application running on a remote client machine (column 5, 
lines 9-15). 

As per claim 1 3, Win et al. teaches a method as recited in claim 1 , wherein the private 
network is an 25 intranet or a corporate network (column 5, lines 15-17; column 22, lines 50-67). 

As per claim 14, Win et al. teaches a method as recited in claim 1 , wherein the resource 
request is from a network browser (column 5, lines 9-15). 

As per claims 15 and 53, Win et al. teaches a method as recited in claims 1 and 51 , 
wherein said method further comprises: performing the particular operation at the private 
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network to determine a response to the resource request if the access privileges for the 
authenticated user permit the authenticated user to perform the particular operation on the private 
network (column 8, lines 56-60). 

As per claims 16 and 40, Win et al teaches a method as recited in claims 1 and 34 , 
wherein the authenticated user has an Internet Protocol (IP) address and wherein said 
determining if the access privileges for the authenticated user permit the authenticated user to 
perform the particular operation comprises: 

determining whether the access privileges for the authenticated user permit the 
authenticated user to perform the particular operation at the private network (column 8, lines 34- 
38); and 

determining whether the IP address is authorized (column 8, liens 38-41) 

As per claims 20 and 45, Win et al. teaches a method as recited in claim 19, wherein said 
supplying the particular resource comprises: retrieving the particular resource from a content 
server (column 8, lines 45-55); 

modifying at least one URL within the particular resource (column 11, lines 55-67); 

and sending the modified resource to the remote user (column 12, lines, 1-10) 
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As per claims 21, 23, 46 and 48 Win et al. teaches a method as recited in claim 19 
wherein said supplying the particular resource comprises: modifying the response so that links 
within the response point to the intermediate server (column 8, lies 44-55); and 

sending the modified resource to the remote user (column 9, lines 6-21). 

As per claims 22 and 47, Win et al teaches a method as recited in claim 19, wherein said 
supplying the particular resource comprises: determining a host name for a remote server hosting 
the particular resource being requested (column 8, lines 45-55); 

sending a request for the particular resource to the remote server based on the 
determined host name (column 11, lies 55-67); and 

receiving, at the intermediary server, a response to the request from the remote server 
(column 12, lines 1-10). 

As per claim 24 and 28, Win et al. teaches a method as recited in claims 19, wherein the 
private network is a corporate network (column 5, lines 15-17). 

As per claims 25 Win et al. teaches a method as recited in claims 19, wherein the 
resource request is from a network browser (column 5, lines 9-15). 

As per claims 26 and 49, Win et al. teaches a method as recited in claims 19 and 34, 
wherein the resource request is from a client-side application running on a remote client machine 
(column 5, lines 9-15). 
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As per claims 27 and 50, Win et al. teaches a method as recited in claims 26, 19, and 44 
wherein the client-side application includes one of: a web browser, an email application or a file 
access application (column 5, lines 9-15). 

As per claim 37, Win teaches a computer readable medium as recited in claim 34 wherein 
the intermediary server stores the access privileges for a plurality of users (Access server (106) 
and registry server (108) that exchange information to authenticate a user. Registry server (108) 
verifies user name and password), and 

wherein the intermediary server stores an authentication identifier for each of a plurality 
of users, the authentication identifier identifying an external authentication server to be used to 
perform authentication (Registry server (108) coupled to Access server (106), Figure 5 A). 

Claim Rejections - 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

3. Claims 17 and 41are rejected under 35 U.S.C. 103(a) as being unpatentable over Win et 
al. US Patent No. 6,182,142 in view of Theimer et al US Patent No. 5,649,099 in further view of 
Coley et al. US Patent No. 5,826,014 Coley teaches the invention as claimed including a firewall 
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system for protecting network elements connected to a public network (see abstract). Win 
teaches the invention as claimed including access and registry servers to provide secure access to 
clients (see abstract). 

As per claims 17 and 41, Win and Theimer teach a method as recited in claim 16 and 40. 
Win and Theimer do not teach wherein said determining if the access privileges for the 
authenticated user permit the authenticated use r to perform the particular operation further 
comprises: determining whether time-of-day restrictions are satisfied. Coley teaches wherein 
said determining (e) further comprises: (e3) determining whether time-of-day restrictions are 
satisfied (column 9, lines 61-67; column 10, lines 1-26). It would have been obvious to a person 
of ordinary skill in the art at the time of the invention to combine the profiles and roles of Win 
with the time of day restriction of Coley. A person of ordinary skill in the art would have been 
motivated to do this to restrict access to the protected server (Win 112). 

As per claims 1 8 and 42, Win and Theimer teaches a method as recited in claims 1 7 and 
40, wherein the access privileges comprise permitted operations, authorized IP addresses, and 
time-of-day restrictions for the authenticated user (Win: column 8, lies 34-67). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Uzma Alam whose telephone number is (571) 272-3995. The examiner 
can normally be reached on Monday-Friday. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ario Etienne can be reached on (571) 272-4001 . The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

Uzma Alam 
Ua 

September 20, 2007 




